Communicaton information recording device

ABSTRACT

The object of the present invention is to obtain the records of communication through the network. Monitoring the packet data passing through the objective network and adding the detection data corresponding to its type, and by storing the resultant in the analysis result database, the data can be simply and certainly read out after the completion of communications.

TECHNICAL FIELD OF THE INVENTION

[0001] The present invention relates to a communication informationrecording device and is suitably applied to the case of confirming thecommunication information flowing into a network that becomes an objectto be monitored after the completion of communications.

TECHNICAL BACKGROUND OF THE INVENTION

[0002] In the network that is constructed to transmit or receiveinformation by using the applicable LAN (Local Area Network) in theplural number of terminal devices connected to the LAN, there may becases where the existence or non-existence of the communication shouldbe confirmed after the communication has been conducted.

[0003] For example, there may be cases where we want to confirm whethera network crime has been conducted or not from the inside of LAN networkor the external network connected to the LAN network (e.g., Internet)and we want to obtain an evidence that the communication has beenconducted (e.g., the evidence of electronic commercial transaction).

[0004] As a method to solve such problems, a method to provide softwareusing the GUI (Graphical User Interface) for information recording onlyin each terminal device has been adopted. However, this has createdcomplicated works when confirming the recorded information after thecommunication has been conducted.

DISCLOSURE OF THE INVENTION

[0005] The present invention has been done considering the above pointsand is proposing a communication information recording device capable ofmore easily confirming the communication information after its recordingor transmission has been conducted.

[0006] To obviate such problems according to the present invention,receiving data of data stream D0 flowing in an objective network 2, anddividing the received data into session data for one communication D1,and selecting communication item data contained in the divided sessiondata D1, (HTTP communication, SMTP communication, POP3 communication),(SMTP command MAIL FROM and RCPT TO), (POP3 command USER and APOP),(mail header From, Subject, To, and Cc), (HTTP request GET, POST, HEAD,DELETE, OPTIONS, PUT, LINK, UNLINK, TRACE, CONNECT), (HTTP headerContent-Length, Host), the analysis result data will be formed. Byadding Category=1, 2 . . . to these analysis result data and storingthese in the analysis result database 11, the analysis result data canbe selectively read out from the analysis result database 11 based onthe detection data category=1, 2 . . . , and thus, the communicationresult of the objective network 2 can be confirmed.

[0007] By adding the detection data to the communication item data andstoring these in the analysis result database 11, the data of a datastream flowing in the objective network 2 can be easily confirmed afterthe communication has been transmitted by using the detection data.Thereby, the communication information recording device capable ofeasily finding whether the crime has been conducted onto the objectivenetwork 2 or not, and capable of more easily securing the evidence thatthe communication has been conducted can be realized.

[0008] According to the present invention as described above, since thecommunication data passing through the objective network will bereceived, and the received communication data will be classifiedaccording to the data categories. And adding new detection data thesewill be stored in the analysis result database, the progress ofcommunications using the objective network can be easily and certainlyconfirmed based on the analysis result data stored in this analysisresult database. Thus, the communication information recording devicecapable of easily and surely giving the evidence on the network crimeand the evidence of electronic commerce transaction can be realized.

BRIEF DESCRIPTION OF DRAWINGS

[0009]FIG. 1 is a block diagram showing the general construction of acommunication information recording device according to the presentinvention.

[0010]FIG. 2 is a flow chart showing the communication informationrecording processing procedure of a communication information recordingdevice 6 of FIG. 1.

[0011]FIG. 3 is a schematic diagram showing the construction ofelectronic mail information flowing in the objective network 2 of FIG.1.

[0012]FIG. 4 is a flow chart showing the detailed construction of themail data analysis step SP5 of FIG. 2.

[0013]FIG. 5 is a flow chart showing the detailed construction of maildata analysis step SP5 of FIG. 2.

[0014]FIG. 6 is a schematic diagram showing the construction ofelectronic mail data DATA11 (Request to server) to be processed in FIG.4 and FIG. 5.

[0015]FIG. 7 is a schematic diagram showing the construction of responsedata DATA12 (Response from server) to be processed in FIG. 4 and FIG. 5.

[0016]FIG. 8 is a flow chart showing the categorization processingprocedure.

[0017]FIG. 9 is a flow chart showing the categorization processingprocedure as is FIG. 8.

[0018]FIG. 10 is a schematic diagram showing the construction of mailcategory database to be used in the categorization processing procedureof FIGS. 8 and 9.

[0019]FIG. 11 is a flow chart showing the detailed construction of thePOP3 data analysis step SP7 of FIG. 2.

[0020]FIG. 12 is a flow chart showing the detailed construction of thePOP3 data analysis step SP7 of FIG. 2 as is FIG. 11.

[0021]FIG. 13 is a schematic diagram showing the construction of therequest data DATA 21 (Request to server) of the POP3.

[0022]FIG. 14 is a schematic diagram showing the construction ofelectronic mail data DATA 22 (Response from server) of the POP3.

[0023]FIG. 15 is a flow chart showing the detailed construction of HTTPdata analysis step SP8 of FIG. 2.

[0024]FIG. 16 is a flow chart showing the detailed construction of theHTTP data analysis step SP8 of FIG. 2 the same as FIG. 15.

[0025]FIG. 17 is a schematic diagram showing the construction ofWeb*data of FIG. 15 and FIG. 16.

[0026]FIG. 18 is a schematic diagram showing the POST request dataDATA31 (Request to server).

[0027]FIG. 19 is a schematic diagram showing the POST response dataDATA32 (Response from server).

[0028]FIG. 20 is a schematic diagram showing the request data DATA41 andresponse data DATA42 of the GET request.

[0029]FIG. 21 is a flow chart showing the readout processing procedureof the analysis data.

[0030]FIG. 22 is a flow chart showing the intrusion detection analysisprocessing procedure of FIG. 2.

BEST MODE FOR CARRYING OUT THE INVENTION

[0031] The present invention will be described in detail with referenceto the accompanying drawings.

[0032] (1) General Construction

[0033] In FIG. 1, 1 generally shows communication networks in which anobjective network 2 comprising the LAN network is connected to Internetnet 5.

[0034] The objective network 2 is connected to the plural number ofterminal devices 3A, 3B . . . and these terminal devices 3A, 3B . . .communicate electronic mail information with the mail server 4A and mailservers 15A, 15B . . . provided in the management headquarter 4 with theWeb browser 4B, and simultaneously the mail server 4A communicateselectronic mail information between external mail servers 15A, 15B . . .through the Internet net 5 connected to the objective network 2.

[0035] The terminal devices 3A, 3B . . . communicate Web pages betweenHTTP servers 14A, 14B . . . through the objective network 2 by using theHTTP protocol.

[0036] With this arrangement, the electronic mail information and Webpage information flown into the objective network 2 will be monitored bythe communication information recording device 6 connected to theobjective network 2.

[0037] Since the central processing unit (CPU) 9 connected to theprogram memory 8 executes communication information recording programthrough a bus 7 using a work memory 10, the communication informationrecording device 6 executes the analysis processing on the electronicmail information and Web page information flowing into the objectivenetwork 2 according to the communication information recordingprocessing procedure RT0 shown in FIG. 2, and stores the analysis resultdata showing the contents of communication information in the analysisresult database 11 via the bus 7.

[0038] (2) Communication Information Recording Processing Procedure

[0039] When the CPU 9 of the communication information recording device6 enters into the communication information recording processingprocedure RT0 of FIG. 2, it successively captures packet data containingelectronic mail information and Web page information flowing in theobjective network 2 at the step SP1, and stores these into the workmemory 10.

[0040] As shown in FIG. 3, since the packet data P1 continuously flow infrom the communication start point TO to the communication stop point T1during the communication for a single time, the data stream D0 transmitsthe session data D1 showing one data.

[0041] On the other hand, the CPU 9 of the communication informationrecording device 6 divides the data stream of this data stream D0 perthe predetermined monitor time and adding the monitor file names,memorizes these in the work memory 10.

[0042] While the packet data P1 flowing in the objective network 2 willbe captured in the work memory 10 per the predetermined monitor time,the CPU 9, after conducting the analysis time waiting processing at thestep SP2, and waiting till the analysis time point arrives, at the stepSP3, cuts out the packet data captured in the work memory 10 per onesession and adds the analysis file name.

[0043] Then, the CPU 9 executes the analysis subroutine of SMTP maildata on the electronic mail information to which analysis file names areadded according to the type of electronic mail information captured atthe step SP5, or it executes the analysis subroutine of the POP3 maildata at the step SP7.

[0044] At the step SP8, the CPU 9 executes the analysis subroutine ofHTTP, and at the step SP9, it executes the intrusion detection analysissubroutine.

[0045] Thus, the CPU 9 terminates the analysis on the electronic mailinformation and Web page to which the monitor file names are attached atthe step SP1, and returning to the step SP1, it repeats the analysisprocessing on the following monitor time.

[0046] As a result, in the communication information recording device 6,when the terminal devices 3A, 3B . . . transmit/receive electronic mailsvia the mail server 4A, or when the terminal devices 3A, 3B . . . readout electronic mail information from the mail server 4 and mail servers15A, 15B . . . or when it receives Web page from the HTTP servers 14A,14B . . . of the Internet net 5 from terminal devices 3A, 3B . . . viathe objective network 2, the communication information recording device6 receives the electronic mail information and Web page informationflowing in the objective network 2, and stores the analysis result inthe analysis result database 11.

[0047] (3) Mail Data Analysis Processing Procedure

[0048] The communication information recording device 6 executes themail data analysis processing procedure shown in FIGS. 4 and 5 at themail data analysis processing routine SP5 of FIG. 2.

[0049] The processing of this mail data analysis processing routine SP5will be conducted in the case where the electronic mail informationflowing in the objective network 2 is the electronic mail informationtransferred based on the simple mail transfer protocol (SMTP). And thissimple mail transfer protocol (SMTP) mail is formed of electronic maildata DATA11 of FIG. 6 as a request data to the mail server 4A.

[0050] When the mail server 4A receives this SMTP mail, the mail server4A transmits the data of FIG. 7 as a response data DATA12.

[0051] In the case of SMTP electronic mail data DATA 11 of FIG. 6, ithas the SMTP command S11 in the first 4 lines from the top, and has themail main body S12 from the following line to “.”.

[0052] Furthermore, the mail main body S12 comprises a mail header unitS13, main text unit S14 and an attachment file unit S15.

[0053] When the CPU 9 enters the mail data analysis processing routineSP5 of FIG. 4, after dividing the mail using the SMTP protocol at thestep SP21, successively obtains “RCPT TO” line and “MAIL FROM” line inthe SMTP command S11 (FIG. 6) at the steps SP22 and SP23. And thus, itobtains the data showing that the data is an electronic mail from thename of mail sender to the name of addressee.

[0054] Then, at the step SP24, the CPU 9 cuts out from the mail headerS13 through the end of main text S14 as one file, and by writing thisinto the file of the work memory 10 temporarily and putting the mailheader in the associative array at the step SP25, it makes each item ofthe mail header can be referred.

[0055] Then next, the CPU 9 judges whether there exist any attachmentfiles or not at the step SP26, and when an affirmative result isobtained, it moves to the step SP27 and executes the virus detectionmodule and simultaneously, judges whether the virus is detected or notat the step SP28.

[0056] If an affirmative result is obtained at this virus detection stepSP28, the CPU 9 judges that the electronic mail is Category=2 at thestep SP29 and moves to the step SP30.

[0057] Here, the reason for categorizing the electronic mails receivedis that by classifying these electronic mails into categories accordingto the contents of the electronic mails and storing in the analysisresult database 11, these data can be read based on the result ofcategorization when reading contents of the analysis result database 11after they are communicated, and thus, this makes the data of theanalysis result database 11 can be read out easily.

[0058] Thus, the CPU 9 extracts virus if there exists from theelectronic mail having the attachment file, and classifies the categoryof the electronic mail into Category=2.

[0059] On the other hand, if the CPU 9 judges that there is noattachment file at the step SP26, or when virus has not been detected atthe step SP28, the CPU 9 skips the step SP29 and moves to the step SP30.

[0060] The processing of this step SP30 is the processing to decode the“Subject” (title) (i.e., to change from 7 bits to generally readable 8bits (MIME decoding)) in the mail header S13 of the SMTP electronic mailDATA 11 (FIG. 6). And then, at the step SP31, the CPU 9 decodes“Filename” (attached file name), and at the following step SP32, the CPU9 decodes “From” item of the mail header unit S13, and at the followingstep SP33, it decodes “To” item of the mail header unit S13 and decodes“Cc” item of the mail header unit S13 at the following step SP34.

[0061] By conducting the processing described above, the CPU 9 will findthe SMTP mail comes from who and goes to whom, and Cc copy should besent to whom, and as well as knowing the title and attachment file name,it knows the existence or non-existence of virus.

[0062] Under such circumstances, the CPU 9 judges whether the categoryof the electronic mail is “Category=2” or not at the step SP35. And whenan affirmative result is obtained, it moves to the step SP36 (FIG. 5)and executes the processing (on the SMTP mail in which virus isdetected) to enter the mail main text S14 response data DATA12, SMTPcommand S11, and “To” item, “Cc” item, “From” item, “Subject” item ofthe mail header S13 into the analysis result database 11 as thecommunication item data to show the communication contents.

[0063] On the other hand, if a negative result is obtained at the stepSP35 (FIG. 4), this means that the SMTP mail has no virus, and at thismoment, the CPU 9 moves to the step SP37 and judges whether the SMTPcommand “MAIL FROM” item, SMTP command “RCPT TO” item, POP3 command“USER” item, POP3 command “APOP” item, mail header “From” item, mailheader “To” item and the mail header “Cc” item agree with the privatedatabase 12 or not.

[0064] Here the private database 12 means that other persons exceptpersons registered in the private database 12 are not allowed to readthe contents of the SMTP electronic mail.

[0065] If an affirmative result is obtained at the step SP37, this meansthat other persons would not be allowed to read the contents of the SMTPelectronic mail. And at this moment at the step SP38, as well aschanging the “Subject” item of the mail header to private, the CPU 9changes the “To” item of the mail header to private at the step SP39.Then at the step SP40, setting to “category=1”, the CPU 9 moves to thefollowing step SP41.

[0066] Thus, when the CPU 9 confirms that the SMTP mail is not allowedto be seen by other persons, it sets both the mail header “Subject” itemand the mail header “To” item to private, and simultaneously, byregarding as “category=1”, contents of the SMTP mail can be set not tobe seen even after the electronic mail is transmitted.

[0067] On the other hand, if a negative result is obtained at the stepSP37, this means that the SMTP mail is not prohibited from being seen,and at this moment, skipping the step SP38 through the step SP40, theCPU 9 moves to the step SP41.

[0068] This step 41 compares the contents of mail header with the valueof “mail-category” set in advance in the mail category database 13(FIG. 1) and categorizes these.

[0069] As shown in FIG. 10, the mail category database 13 sets groups ofcategories and words that belong to mail-categry1, 2, 3, 4 and 5 on themail header “From” item, “To” item, all “ALL” item, “Reply-To” item and“Subject” item as the reference data.

[0070] Furthermore, on the “main text” item, the, mail category database13 sets a group of category and words (word) (EUC), word2 (JIS) andword3 (Shift-JIS) as the reference data to rate the mail-category5.

[0071] Furthermore, on the POP3 item, the mail category database 13 hasa group of category and word (POP) and word2 (APOP) as the referencedata to judge the category6.

[0072] At this moment the CPU 9 judges whether the mail header of theSMTP mail agrees with the mail category database 13 or not at the stepSP75 continued from the step SP41. And when an affirmative result isobtained, the CPU 9 moves to the step SP76, substitutes the value ofcategory into the condition category agreed and moves to the step SP36.

[0073] Here, the SMTP mail is the electronic mail transferred from aterminal device to the mail server 4A by the simple mail transferprotocol (SMTP). And the reference data of the header set to the mailcategory database 13 are “From” item and “To” item, and the CPU 9 judgeswhether these two items are agreed or not at the step SP75.

[0074] On the other hand, when a negative result is obtained at the stepSP75, the CPU 9 compares the main text of the mail with the wordsregistered in the mail-category5 of the main category database 13 at thestep SP77. And when the CPU 9 judges that these are agreed at the stepSP78, substituting the value of category into the category agreed at thestep SP79, it moves to the step SP36.

[0075] Besides, if a negative result is obtained at the step SP78, theCPU 9 moves to the step SP36 described above.

[0076] By executing the SMTP mail data analysis processing procedure SP5of FIGS. 4 and 5, the CPU 9 judges whether the monitored electronic mailis allowed to be seen or not, and by judging that to what category theelectronic mail belongs, it stores the resultant in the analysis resultdatabase 11.

[0077] (4) POP3 Data Analysis Processing Procedure

[0078] At the POP3 data analysis subroutine SP7 (FIG. 2), in the casewhere the terminal devices 3A, 3B . . . read the mail pooled in the mailserver 4 and mail servers 15A, 15B . . . , the CPU 9 of thecommunication information recording device 6 monitors electronic mailinformation flowing in the objective network 2 by the POP3 protocol(Post Office Protocol Version3) according to the POP3 data analysisprocessing procedure SP7.

[0079] When the CPU 9 enters the POP3 data analysis processing procedureSP7, the CPU9 divides the mail based on the POP3 protocol at the stepSP75.

[0080] Then, a request data DATA21 (shown in FIG. 13) of the electronicmail information based on the POP3 protocol will be transmitted to themail server 4 from the terminal devices 3A, 3B . . . via the objectivenetwork 2. And as the response to this request, an electronic mail dataDATA22 shown in FIG. 14 will be sent from the mail server 4 and mailservers 15A, 15B to the terminal devices 3A, 3B that sent out therequest.

[0081] The electronic mail data DATA22 is formed of a POP3 response S21and mail main body S22, and the mail main body SP22 comprises a mailheader S23 and a mail main text S24.

[0082] Thus, the CPU 9, after dividing the mail in utilizing the POP3response SP21 at the step SP75, obtains “USER” item (user name isdescribed) or “APOP” item (user name and password are described) of thePOP3 command of the request data DATA21 at steps SP76 and SP77, andsimultaneously, at the step SP78, it extracts data from the mail headerS23 to the end of mail main text S24 of the electronic mail data DATA22as one file, and temporarily stores it in the work memory 10.

[0083] Then, at the step SP79, after entering the mail header in theassociative array and making each item can be taken out as occasiondemands, the CPU 9 judges whether there exist any attachment files ornot at the step SP80. And if an affirmative result is obtained, itexecutes the virus detection module at the step SP81. Then at the stepSP82, if a judgment result that the virus has been detected is obtained,the CPU 9 judges that the electronic mail is category=2 at the stepSP83, and moves to the following step SP84.

[0084] On the other hand, if the judgment that there is no attachmentfile is obtained at the step SP80 or virus has not been detected at thestep SP82 is obtained, the CPU 9 moves to the step SP84 immediately.

[0085] At the step SP84, the CPU 9 decodes the “Subject” item of themail header S3 from 7 bits to generally readable 8 bits (MIME decoding).

[0086] Similarly, at the following steps SP85, SP86, SP87 and SP88, theCPU 9 successively MIME decodes the “attachment file name” item, “From”item of mail header, “To” item of mail header, “Cc” item of the mailheader.

[0087] Then, at the step SP89, the CPU 9 judges whether the category ofthe electronic mail is Category=2 or not, and when an affirmative resultis obtained, it moves to the step SP90 (FIG. 12) and enters “mail maintext”, “response data”, “SMTP command”, mail header “To”, “Cc”, “From”items and “Subject” item into the analysis result database 11.

[0088] On the other hand, if a negative result is obtained at the stepSP89 (FIG. 11), the CPU 9, at the step SP91, judges whether one ofitems, SMTP command “MAIL FROM” item or “RCPT TO” item, or POP3 command“USER” item or APOP item, or mail header “From” item, “To” item, “Cc”item agrees with the private data stored in the private database 12.

[0089] At the step SP91, if an affirmative result is obtained, thismeans that the third person is not allowed to read the electronic mail,and at this moment, the CPU 9 changes the mail header “Subject” item toprivate data at the step SP92. And at the step SP93 after changing the“From” item to private data, it judges that the electronic mail categoryas category=1 at the step SP94, and moving to the step SP90, the CPU 9registers this on the analysis result database 11.

[0090] On the other hand, if a negative result is obtained at the stepSP91, this shows that the foregoing processing could not conduct thecategorization. And at this moment, the CPU 9 executes thecategorization processing subroutine SP42 at the step SP95.

[0091] When the CPU 9 enters the categorization processing subroutineSP42, as shown in FIGS. 8 and 9, after comparing “From” item in the mailheader of the mail with the word of “mailcategoryl” of the mail categorydatabase 13 at the step SP51, the CPU 9 judges whether there exist anydata agreed or not at the step SP52. And when an affirmative result isobtained, the CPU 9 moves to the step SP53 and determines the categorycorresponding to the word agreed as the category1.

[0092] If a negative result is obtained at the step SP52, the CPU 9compares “From” item in the mail header with the word of“mail-category2” at the step SP54. At the step SP55, if there existsdata that is agreed, at the step SP56, the CPU 9 judges the category ofthe word agreed as category2.

[0093] Furthermore, at the step SP55 if a negative result is obtained,the CPU 9 compares “From” item, “To” item and “Cc” item in the mailheader and “MAIL-FROM” item, “RCPT-TO” item in the SMTP command with theword of the mail-category3 of the mail category database 13. Moreover,at the step SP58 if there exists a data agreed, the CPU 9 judges thecategory corresponding to the word agreed as the category3 at the stepSP59.

[0094] Furthermore, if a negative result is obtained at the step SP59,the CPU 9 compares “Reply-To” item in the mail header with the word ofthe mail-category4 of the mail category database 13 at the step SP60.And at the step SP61, when it is found that there is agreement, the CPU9 judges the category corresponding to the word agreed as the category4at the step SP62.

[0095] Furthermore, if a negative result is obtained at the step SP61,the CPU 9 compares the mail main text of the SMTP mail with the word,word2 and word3 of the category5 of the mail category database 13 at thestep SP63. And when it judges that there is an agreement in the stepSP64 (FIG. 9), it judges the category corresponding to the word agreedas the category5 at the step SP65.

[0096] Furthermore, if a negative result is obtained at the step SP64,the CPU 9 compares the head line of the request file of the SMTP mailwith the word, word2 of the mail-category6 of the mail category database13 at the step SP66; and at the step SP67 if it is found that there isagreement, it judges the category of the word agreed as the category6 atthe step SP68.

[0097] With this arrangement, if the judgment results of steps SP53,SP56, SP59, SP62, SP65 and SP68 are obtained, or if a negative result isobtained at the step SP67, the CPU 9 terminates the categorizationprocessing at the step SP69, and returns to the main routine (FIG. 12)from the step SP70.

[0098] According to the categorization processing of this step SP95,mail information flowing in the objective network 2 will besimultaneously classified into the form of categorization that can beeasily controlled by the manager of the management headquarter 4 whocontrols the objective network.

[0099] At this point, regarding the mail category database 13 of FIG.10, the category numbers are attached respectively to one or the pluralnumber of words having high priority on 6 items of the mail-category1through mail category6. Thus, in the case of reading out the analysisresult data stored in the analysis result database 11 from the mailbrowser 4B of the management headquarter 4, mail information with highpriority can be optionally read out.

[0100] The first categorization data CAT1 of the mail category database13 is set as the mail-category1 onto one or multiple “names of mailtransmitting ends” on the “From” item of the mail header unit with thecategory value”.

[0101] The second categorization data CAT2 is set as the mail-category2onto one or the plural number of “names of receiving ends” on the “To”item of the mail header unit with the category values.

[0102] Furthermore, the third categorization data CAT3 is set as themail-categry3 onto one or multiple items, making a group of all items,i.e., the SMTP command “MAIL FROM” item, “RCPT TO” item and the mailheader “From” item, “To” item, “Cc” item as a group of judgmentinformation with the category values.

[0103] Moreover, the fourth categorization data CAT4 is set as themail-category4 by attaching category values to one or multiple“Reply-To” (reply sending destination).

[0104] Moreover, the fifth categorization data CAT5 is set as themail-category5 by attaching category values to one or multiple “Subject”item (title) of the mail header.

[0105] Moreover, the sixth categorization data CAT6 is set as themail-category6 onto one or multiple “mail main text” item (i.e.,registered characters) per each kanji code ERC, JIS, SHIFT-JIS.

[0106] Moreover, the seventh categorization data CAT7 is set as themail-dategory7 onto one or more items in the word (POP), user name, orword2 (APOP), user name and password of the POP3 item (user name of mailserver).

[0107] Thus, the CPU 9, categorizing the electronic mail informationmonitored from various sides in utilizing the category classificationdata CAT1 through CAT7 of the mail category database 13, stores these inthe analysis result database 11, and returns to the main routinecommunication information recording processing procedure RT0 (FIG. 2)from the step SP96. Thus, the confirmation of electronic mail data fromthe analysis result database 11 can be easily conducted from the mailbrowser 4B of the management headquarter 4 as occasion demands.

[0108] (5) HTTP Data Analysis Processing Procedure

[0109] The CPU 9 of the communication information recording device 6executes “HTTP data analysis processing procedure” shown in FIGS. 15 and16 at the HTTP data analysis step SP8 (FIG. 2).

[0110] When the CPU 9 enters the “HTTP data analysis processingprocedure” SP8, it sets the condition to secure the session data fromthe nama database at the step SP100.

[0111] In the case of this embodiment, when the terminal devices 3A, 3B. . . read Web page information from HTTP servers 14A, 14B . . . withthree kinds of port numbers, 80, 3128 and 8080, the CPU 9 stores the Webpage information in the analysis result database 11.

[0112] Request from the terminal devices 3A, 3B . . . starts from “GET”,“POST”, “HEAD”, “DELETE”, “OPTIONS”, “PUT”, “LINK”, “UNLINK”, “TRACE”,“CONNECT” items.

[0113] For example, if the HTTP POST request is sent out from theterminal devices 3A, 3B . . . , the terminal devices 3A, 3B . . . sendHTTP POST request data DATA31 to the HTTP servers 14A, 14B . . . via theobjective network 2. And responding to this the HTTP servers 14A, 14B .. . transmit the HTTP POST response data DATA32 to the terminal devices3A, 3B . . . via the objective network as shown in FIG. 19.

[0114] The HTTP POST request data DATA31 comprises a header unit S31 anda write-in unit S32 as shown in FIG. 18. And as well as sending Web pageread-in information to the HTTP servers 14A, 14B . . . by the headerunit S31, the condition to add the contents written in the write-in unitS32 to the Web page to be read and send out is added.

[0115] When the HTTP servers 14A, 14B . . . receive the HTTP POSTrequest data DATA31, as shown in FIG. 19, the HTTP servers return theheader part S33 and the main text part S34 formed of processed Web pageinformation to the terminal devices 3A, 3B . . . that sent out therequest as the HTTP POST response data DATA32.

[0116] Moreover, as shown in FIG. 20(A), the terminal devices 3A, 3B . .. send out Request and HTTP header of the HTTP GET request data DATA41(there is no write-in unit S32 as in the case of FIG. 18) to the HTTPservers 14A, 14B . . . as the HTTP GET request data DATA41.

[0117] At this point, as shown in FIG. 20(B), the HTTP servers 14A, 14B. . . transmit the header unit S42 and the main text unit S43 (in thiscase, still picture) to the terminal devices 3A, 3B . . . that sent outthe request as the HTTP GET response data DATA42.

[0118] When the CPU 9 enters the HTTP data analysis subroutine, readsout the request data DATA41 from the work memory 10 at the step SP101continued from the step SP100 (FIG. 15). And at the step SP102, afterconfirming that the request data has started from which request in theHTTP GET request, HTTP POST request, HTTP HEAD request . . . HTTPCONNECT request, it separates the request data at the step SP103.

[0119] Then, at the step SP104, in the case of HTTP POST request, theCPU 9 reads the header unit S31 of the HTTP POST request DATA31. Whilein the case of HTTP GET request, it reads in the header unit S41 of theHTTP GET request DATA41 (FIG. 20(A)). In this case the request data andresponse data are transferred by the HTTP (HyperText Transfer Protocol).

[0120] Then, at the step SP105, the CPU 9 after changing the HTTP headerto the associative array so that each data can be read, judges whetherthe HTTP header is NULL or not (e.g., whether HTTP header exists ornot).

[0121] At this point, if an affirmative result is obtained, this meansthat the terminal devices 3A, 3B . . . sent the request to the HTTPservers 14A, 14B . . . without attaching the HTTP header Host. And atthis moment, at the step SP107, by adding “http://addressee IP (InternetProtocol) address/request text”, the CPU 9 determines the URL (UniformResource Locator), i.e., the resource name to determine the fileuniquely, and proceeds to the following step SP108.

[0122] On the other hand, if a negative result is obtained at the stepSP106, this means that HTTP header Host was attached when the terminaldevices 3A, 3B . . . sent the request to the HTTP servers 14A, 14B . . .. And at this moment, at the step SP109, CPU 9 determines “http://HTTPheaderHost/Request text” as the URL and moves to the step SP108.

[0123] At the step SP108, the CPU 9 reads the response header of theresponse data. And at the step SP110, it judges whether Content-Lengthitem exists or not in the response header.

[0124] At this point, if a negative result is obtained, this means thatthere is a possibility that only single Web page information is includedin the response data. And at this moment, at the step Spill, the CPU 9reads the response data till the next response header of the fileinformation comes out. And at the step SP112, the CPU 9 determines themain text after the response header to the next response header as onefile, and stores this in the analysis result database 11.

[0125] On the other hand, if an affirmative result is obtained at thestep SP110, this means that there is a possibility that multiple Webpage information are included in the response data. And at this moment,the CPU 9 moves to the step SP113 and judges whether Content-Length=0 ornot on the Content-Length item.

[0126] At this point, if a negative result is obtained, this means thatmultiple Web pages are included. And at the step SP114, the CPU 9 readsin the data after the response header for Content-Length and moving tothe step SP112, stores the data as one file in the analysis resultdatabase 11.

[0127] Then, at the following step SP115, the CPU 9 judges whether theprocessing presently being conducted is the case of HTTP POST request orthe case of including “?” in the URL or not.

[0128] Here, if an affirmative result is obtained, this shows that thecontents of Web page information presently being processed are dynamiccontents.

[0129] More specifically, in the case of POST request, as describedabove in FIGS. 18 and 19, POST response data DATA32 (FIG. 19) is thedata transferred to the HTTP servers 14A, 14B . . . and the dataprocessed corresponding to the contents of the processing write-in unitS32 of the HTTP POST request DATA31 (FIG. 18), and accordingly, it hasdynamic contents.

[0130] Furthermore, the fact that “?” is included in the contents of URLattached on the step SP107 or SP109 means that the contents of Web pageinformation transmitted to the HTTP servers 14A, 14B . . . have dynamiccontents to be changed afterwards.

[0131] Accordingly, if a negative result is obtained at the step SP115,this means that the response data is the fixed type Web page informationnot having dynamic contents. And at this moment, the CPU 9, moving tothe step SP116, forms a directory making the data “from URL item to thelast /” as one name in the analysis result database 11. And at thefollowing step SP116, the CPU 9, moving the main text data presentlybeing processed to the location of the directory formed from the URLitem in the analysis result database 11, and as well as storing this inthe analysis result database 11 at the following step SP118, and recordsRequest, Response, URL, the storage location of the main text file inthe web*database 11A provided in the analysis result database 11.

[0132] Thus, in the case where Content-Length does not exist in theresponse header (SP110) and in the case where there existsContent-Length but Content-Length is not 0, the analysis result on theWeb page not having dynamic contents (step SP115) can be stored in theanalysis result database 11.

[0133] On the other hand, if an affirmative result is obtained at thestep SP113, this means that this is a special case, actually the lengthof Content is 0 even though that the response header has multiple Webpages. And at this moment, the CPU 9 moves to the step SP119, andrecords Request, Response, URL, main text file in the auxiliary databaseof the analysis result database 11 (i.e., Web*database 11A) (FIG. 17).

[0134] Furthermore, if an affirmative result is obtained at the stepSP115, this means that the data presently being processed is using thedynamic contents and not the static contents. And the CPU 9 moving tothe step SP119, records Request, Response, URL, main text file in theWeb*database 11A.

[0135] Thus, at the step SP118 or SP119, since the CPU 9 completesstoring the analysis result on the HTTP request header read in at thestep SP104 into the analysis result database 11, it moves to thefollowing step SP120 and judges whether any requests still remain ornot. And if an affirmative result is obtained, the CPU 9 returning tothe step SP103, repeats the processing on the remaining requests.

[0136] On the other hand, if a negative result is obtained at the stepSP120, this means that the processing on all requests contained in onesession has been completed. And at this moment, the CPU 9, moving to thestep SP121, judges whether the other session still exists in the workmemory 10 or not. And when an affirmative result is obtained, the CPU 9returns to the step SP101 and repeats the analysis operation of theremaining session.

[0137] If a negative result is obtained at the step SP121, this meansthat the processing of all HTTP data put in the work memory 10 has beencompleted. And at this moment, the CPU 9 returns to the communicationinformation recording processing procedure TRO (FIG. 2) from the stepSP122.

[0138] Furthermore, if a negative result is obtained at the step SP102,this means that the “HTTP data analysis” is not the Web page informationto be processed at the step SP8 according to the communicationinformation recording processing procedure RTO (FIG. 2). And at thismoment, the CPU 9 immediately returns to the communication informationrecording processing procedure RTO (FIG. 2) from the step SP122.

[0139] (6) Intrusion Detection Analysis Processing Procedure

[0140] When the CPU 9 of the communication information recording device6 enters the intrusion detection analysis step SP9 (FIG. 2), it storesthe analysis result on the communications passed through the objectivenetwork 2 in the analysis result database 11 according to the intrusiondetection analysis processing procedure SP9 as shown in FIG. 22.

[0141] When the CPU 9 enters the intrusion detection analysis step SP9,it delivers the data stream D0 received at the work memory 10 to theintrusion detection program.

[0142] Then next, at the step SP142, the CPU 9, referring the datastream D0 to the intrusion pattern that the intrusion detection programhas according to the intrusion detection program, records the agreeddata stream D0 in the work memory 11 as a file.

[0143] Then, at the step SP143, the CPU 9 extracts the header part andthe main text part of the file based in the file recorded on the workmemory 11 and forms a result file. Then, at the following step SP144,reading the intrusion pattern, address of transmitting end, address ofreceiving end, order sender port, order recipient port and the time ofoccurrence from the result file, the CPU 9 enters these in the analysisresult database 11.

[0144] With this arrangement, since the communication record of thecommunication information passed through the objective network 2 couldbe stored in the analysis result database 11, the CPU 9 returns to themain routine communication information recording processing procedureRT0 from the step SP145.

[0145] Thus, according to the communication detection analysisprocessing procedure of FIG. 22, as to the communication informationbroke into the objective network 2 without ID, its communication recordcan be stored in the analysis result database 11. Thus, the analysisresult database 11 of the communication information recording device 6can be read out by using the Web browser 4B of the managementheadquarter 4 as occasion demands. And thereby the manager of themanagement headquarter 4 can certainly grasp the communication record ofintruders.

[0146] (7) Operation of Communication Information Recording Device

[0147] According to the foregoing construction, when a packet data onthe mail server 4A flows in the objective network 2, the communicationinformation recording device 6 (FIG. 1) attaches the monitor file namein each time when it receives the data and puts in the work memory 10.And in each analysis time (SP2, SP3) at the step SP4, attaching theanalysis file name per each session, the communication informationrecording device 6 executes the processing of the mail data analysisstep SP5, or the POP3 server analysis step SP7, or the HTTP dataanalysis step SP8, and stores the analysis results in the analysisresult database 11.

[0148] Thus, the manager of the management headquarter 4 can read outthe analysis result data stored in the analysis database 11 of thecommunication information recording device 6 from the mail browser 4Bvia the objective network 2 as occasion demands. Thereby theconfirmation of the mail information flowing in the objective network 2can be certainly conducted after the communication stops.

[0149] In the case of conducting such confirmation, when exchanging themail information between the terminal devices 3A, 3B . . . and the mailserver 4A and mail servers 15A, 15B . . . by the mail server analysisstep SP5 and the POP3 server data analysis step SP7 of FIG. 2, mail datareceived will be categorized and stored in the analysis result database11.

[0150] In the case of Web page information, such as the terminal devices3A, 3B . . . send out requests to the HTTP servers 14A, 14B . . . andreceive the responses at the HTTP data analysis step SP8, the Web pageinformation is classified into the static Web page information and thedynamic Web page information. And as to the static Web page information,the storage location of the analysis result database 11 is reassembledto the auxiliary database 11A and will be stored. Accordingly, when adetection request is sent out to the communication information recordingdevice 6 from the Web browser 4B, the detection information required bythe manager of the management headquarter 4 can be properly and easilyread out enhancing the reproducibility of pages including images withthe simple procedure.

[0151] (8) Readout of Analysis Result Data

[0152] The analysis result data registered in the analysis resultdatabase 11 of the communication information recording device 6 will beread out to the Web browser 4B of the management headquarter 4 accordingto the analysis result data readout processing procedure RT1.

[0153] In the analysis result data read-out processing procedure RT1,when the CPU 9 receives a detection request from the Web browser 4B atthe step SP131. And referring to the analysis result data of theanalysis result database 11 at the step SP132, CPU 9 extracts theanalysis result data pertinent to the detection request from theresultant data referred at the step SP133.

[0154] Then, the CPU 9 sends the extracted analysis data to the mailbrowser 4B via the objective network 2 by using the HTTP (HyperTextTransfer Protocol) at the step SP134 and executes the processing todisplay this on the display of the Web browser 4B. Then, at the stepSP135, the CPU 9 terminates the analysis result data read-out processingprocedure RT1.

[0155] Thus, according to the analysis result data read-out processingprocedure RT1 of FIG. 13 the manager of the management headquarter 4 canalways confirm the mail information and the HTTP communication recordingpassed through the objective network 2 as occasion demands.

[0156] (9) Other Embodiment

[0157] The embodiment described above has dealt with the case of formingthe directory in the analysis result database 11 when “forming thedirectory using names from the URL to the last “/” at the step SP116 ofthe “HTTP data analysis” processing procedure SP8 (FIGS. 15 and 16).However, instead of this, an external memory device formed of discrecording device and provided separately from the analysis resultdatabase 11 may be used.

INDUSTRIAL UTILIZATION

[0158] The present invention can be utilized in the communication systemto receive the communication data flowing into the objective networkformed by the LAN and to confirm the contents of communications afterthe communication has been conducted.

1. A communication information recording device, wherein analysis resultdata is formed by monitoring data of a data stream flowing in theobjective network, dividing said monitored data in each communication,and selecting the communication item data contained in said divideddata, and then by attaching the detection data to said analysis resultdata and storing these in an analysis result database, said analysisresult data is selectively read out to outside from said analysis resultdatabase based on said detection data, resulting in confirming theresult of communication through said objective network.
 2. Acommunication information recording device according to claim 1, whereinsaid divided data comprises request data to a mail server connected tosaid objective network from another communication device and responsedata to said another communication device from said mail server.
 3. Acommunication information recording device according to claim 1, whereinsaid divided data comprises header item data and mail main text data assaid communication item data.
 4. A communication information recordingdevice according to claim 2, wherein said divided data comprisesattachment file item data as said communication item data.
 5. Acommunication information recording device according to claim 1,comprising a private database for storing said communication items ofmail information to be restricted from unauthorized reading by otherreaders except reading by specific readers, as private items, andwherein a reading protect item is added to said communication items ofsaid analysis result data that agree with the private item of saidprivate database and stored in said analysis result database, so as notto read said communication items having said reading protect itemattached thereto out of said analysis result database.
 6. Acommunication information recording device as defined in claim 2,wherein a computer virus in an attachment file is detected from saiddivided data as said communication item data.
 7. A communicationinformation recording device according to claim 1, comprising a categorydatabase for storing category items to categorize communication itemsincluded in said divided data in correspondence with said communicationitems, and wherein said corresponding category items are attached tosaid communication items that agree with the communication items of saidcategory database and stored in said analysis result database, so as toread said analysis result data out of said analysis result database foreach category item.
 8. A communication information recording deviceaccording to claim 1, wherein said divided data comprises request datafrom another communication device from the terminal device connected tosaid objective network and response data from said HTTP server to saidcommunication device.
 9. A communication information recording deviceaccording to claim 2, wherein If there exists a Content-Length itemindicating the length of content in the response data from said HTTPserver, the content is stored as a file and storage location dataindicating the storage location of the corresponding divided data in theanalysis result database are accumulated in a storage location database,and thereby said storage location data accumulated in said storagelocation database is read out to outside, so as to reproduce saiddivided data.